You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Siddhi Borkar <si...@persistent.co.in> on 2013/03/06 07:44:36 UTC
Error configuring tomcat with ssl certificates
Hi,
I need help configuring tomcat 6 will ssl certificates. I have been provided with the following
cacert.pem
prvkey.key
and sslcert.crt
I tried the following steps:
1) Generated a keystore using java keytool and the certificate file using the following command.
keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore
2) Added the .pem file to the keystore
keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore
3) Start the tomcat server
4) After starting the server, the following error was seen in the logs.
Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1107)
at org.apache.catalina.core.StandardService.start(StandardService.java:531)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more
Can someone help on this?
Thanks
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
RE: Error configuring tomcat with ssl certificates
Posted by Brijesh Deo <bd...@SonicWALL.com>.
-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_borkar@persistent.co.in]
Sent: 06 March 2013 15:12
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates
Thanks Brijesh,
The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" keystoreFile="/tmp/.keystore" keystorePass="changeit" enableLookups="false" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" clientAuth="false" sslProtocol="TLS" />
Any idea what else could be going wrong?
Thanks,
Siddhi
Hi Siddhi,
You can check your keystore type. If it is not JKS, then you need to specify the keyStoreType also in the connector definition.
-Brijesh
-----Original Message-----
From: Brijesh Deo [mailto:bdeo@SonicWALL.com]
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates
-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_borkar@persistent.co.in]
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates
Hi,
I need help configuring tomcat 6 will ssl certificates. I have been provided with the following
cacert.pem
prvkey.key
and sslcert.crt
I tried the following steps:
1) Generated a keystore using java keytool and the certificate file using the following command.
keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore
2) Added the .pem file to the keystore
keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore
3) Start the tomcat server
4) After starting the server, the following error was seen in the logs.
Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1107)
at org.apache.catalina.core.StandardService.start(StandardService.java:531)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more
Can someone help on this?
Thanks
Siddhi,
You might want to check your ciphers attribute value in the Connector definition in server.xml file. Generally, the list of ciphers that you include here are based upon the type of your certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher suite name) and similarly for DSA based certificate you should have corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this mismatched and that is the problem.
The other way round would be to generate or use a certificate based upon the cipher suites that you want or are supported in your ciphers attribute value.
Brijesh Deo
Dell | SonicWALL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Error configuring tomcat with ssl certificates
Posted by Siddhi Borkar <si...@persistent.co.in>.
Thanks a lot Ognjen, The solution you provided worked very well.
-----Original Message-----
From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]
Sent: Wednesday, March 06, 2013 3:31 PM
To: Tomcat Users List
Subject: Re: Error configuring tomcat with ssl certificates
Siddhi,
On 6.3.2013 10:41, Siddhi Borkar wrote:
> The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error.
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="/tmp/.keystore" keystorePass="changeit"
> enableLookups="false"
> ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WIT
> H_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_E
> DE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EX
> PORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
> clientAuth="false" sslProtocol="TLS" />
>
> Any idea what else could be going wrong?
You didn't import your private key into Java keystore.
Use openssl to create PKCS#12 keystore containing your private key (prvkey.key), your certificate (sslcert.crt) and sertificate chain (cacert.pem).
Then, import PKCS#12 keystore to Java keystore using keytool.
Verify Java keystore with:
keytool -list -keystore /tmp/.keystore -v
You should see one PrivateKeyEntry, with certificate chain to trusted CA.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Error configuring tomcat with ssl certificates
Posted by Ognjen Blagojevic <og...@gmail.com>.
Siddhi,
On 6.3.2013 10:41, Siddhi Borkar wrote:
> The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error.
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" keystoreFile="/tmp/.keystore" keystorePass="changeit" enableLookups="false" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" clientAuth="false" sslProtocol="TLS" />
>
> Any idea what else could be going wrong?
You didn't import your private key into Java keystore.
Use openssl to create PKCS#12 keystore containing your private key
(prvkey.key), your certificate (sslcert.crt) and sertificate chain
(cacert.pem).
Then, import PKCS#12 keystore to Java keystore using keytool.
Verify Java keystore with:
keytool -list -keystore /tmp/.keystore -v
You should see one PrivateKeyEntry, with certificate chain to trusted CA.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Error configuring tomcat with ssl certificates
Posted by Siddhi Borkar <si...@persistent.co.in>.
Thanks Brijesh,
The certificate that I am using is RSA based certificate, I tried listing the RSA based ciphers in the server the xml, however it still gave me the same error.
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" keystoreFile="/tmp/.keystore" keystorePass="changeit" enableLookups="false" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA" clientAuth="false" sslProtocol="TLS" />
Any idea what else could be going wrong?
Thanks,
Siddhi
-----Original Message-----
From: Brijesh Deo [mailto:bdeo@SonicWALL.com]
Sent: Wednesday, March 06, 2013 12:25 PM
To: Tomcat Users List
Subject: RE: Error configuring tomcat with ssl certificates
-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_borkar@persistent.co.in]
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates
Hi,
I need help configuring tomcat 6 will ssl certificates. I have been provided with the following
cacert.pem
prvkey.key
and sslcert.crt
I tried the following steps:
1) Generated a keystore using java keytool and the certificate file using the following command.
keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore
2) Added the .pem file to the keystore
keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore
3) Start the tomcat server
4) After starting the server, the following error was seen in the logs.
Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1107)
at org.apache.catalina.core.StandardService.start(StandardService.java:531)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more
Can someone help on this?
Thanks
Siddhi,
You might want to check your ciphers attribute value in the Connector definition in server.xml file. Generally, the list of ciphers that you include here are based upon the type of your certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher suite name) and similarly for DSA based certificate you should have corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this mismatched and that is the problem.
The other way round would be to generate or use a certificate based upon the cipher suites that you want or are supported in your ciphers attribute value.
Brijesh Deo
Dell | SonicWALL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Error configuring tomcat with ssl certificates
Posted by Brijesh Deo <bd...@SonicWALL.com>.
-----Original Message-----
From: Siddhi Borkar [mailto:siddhi_borkar@persistent.co.in]
Sent: 06 March 2013 12:15
To: users@tomcat.apache.org
Subject: Error configuring tomcat with ssl certificates
Hi,
I need help configuring tomcat 6 will ssl certificates. I have been provided with the following
cacert.pem
prvkey.key
and sslcert.crt
I tried the following steps:
1) Generated a keystore using java keytool and the certificate file using the following command.
keytool -import -trustcacerts -alias tomcatcert -file sslcert.crt -keystore keystore
2) Added the .pem file to the keystore
keytool -import -trustcacerts -alias root -file cacert.pem-keystore keystore
3) Start the tomcat server
4) After starting the server, the following error was seen in the logs.
Mar 4, 2013 10:52:22 PM org.apache.coyote.http11.Http11Protocol start
SEVERE: Error starting endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:755)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:460)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:130)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1107)
at org.apache.catalina.core.StandardService.start(StandardService.java:531)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:593)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at sun.security.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:327)
at sun.security.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:272)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:751)
... 15 more
Can someone help on this?
Thanks
Siddhi,
You might want to check your ciphers attribute value in the Connector definition in server.xml file. Generally, the list of ciphers that you include here are based upon the type of your certificate. If you have RSA based certificate, you need to enlist RSA based ciphers (ones with _RSA in the cipher suite name) and similarly for DSA based certificate you should have corresponding cipher suites (ones with _DSS in the cipher suite names). May be you have this mismatched and that is the problem.
The other way round would be to generate or use a certificate based upon the cipher suites that you want or are supported in your ciphers attribute value.
Brijesh Deo
Dell | SonicWALL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org